02-07-2013 03:46 PM
I am trying to create on IAP and derive from RADIUS a role where some users will have more bandwidth.
In the latest 220.127.116.11-3.2 user guide, in the "Role Derivation" section it is mentioned
" Every client in an Aruba Instant network is associated with a user role, which determines the client’s
network privileges, how often it must re-authenticate, and which bandwidth contracts are applicable."
I am trying to actually do that, but can't really find a way. The only bandwidth contracts I see are in the WLAN settings but they are global to that WLAN... Nothing in the access rules that would be applied to the role derived from my RADIUS attribute, the closest is 802.1p and DSCP, but I would have to enforce the bandwidth contract with an external device.
Any ideas? Is it a typo left from the controller-based guide that is used as a basis for the IAP guide?
02-10-2013 03:21 PM
1. On Radius Server, create Filter-ID per user to grouped them (exmple : Filter-ID :"Director" for upper management, "Staff" for lower staff, etc)
2. On IAP's SSID (SSID-A) setting, go to ACCESS (last tab), and choose ROLE-BASE
3. Every SSID automatically create new ROLE for them selves, so for this exmple, you will see role SSID-A with ALLOW-ALL policy
4. Create new ROLE, set the bandwidth and ACLs for each user-group (FIlter-ID)
5. Select the default role (SSID-A), on the right panel, click new button and create new access rules with format
Attribute : Filter-ID
Operator : Contains / Equals
String : Filter-ID strings on your Radius
Role : Put the new role you created on point 4
6. You can add multiple Access Role as long you create different ROLE (as Point 4)
With this config, user with specific Filter-ID will be derive to the role they appointed, while user wiithout filter-ID will be using the default role (SSID-A).